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Abstract We present a so-called labelling method to insert cost anno- 
tations in a higher-order functional program, to certify their correctness 
with respect to a standard compilation chain to assembly code, and to 
reason on them in a higher-order Hoare logic. 



1 Introduction 

In [T] we have discussed the problem of building a C compiler which can lift in 
a provably correct way pieces of information on the execution cost of the object 
code to cost annotations on the source code. To this end, we have introduced a 
so called labelling approach and presented its application to a prototype com- 
piler written in Oca ml from a large fragment of the C language to the assembly 
languages of Mips and 8051, a 32 bits and 8 bits processor, respectively. 

In the following, we are interested in extending the approach to (higher- 
order) functional languages. On this issue, a common belief is well summarized 
by the following epigram [3] : A Lisp programmer knows the value of everything, 
but the cost of nothing. However, we shall show that, with some ingenuity, the 
methodology developed for the C language can be lifted to functional languages. 
Specifically, we shall focus on a rather standard compilation chain from a call-by- 
value A-calculus to a register transfer level (RTL) language. Similar compilation 
chains have been explored from a formal viewpoint in [H] (with an emphasis on 
typing but with no simulation proofs) and in [3] (for type-free languages but 
with machine certified simulation proofs). 

The compilation chain is described in the lower part of table [1] Starting 
from a standard call-by-value A-calculus with pairs, one performs first a CPS 
translation, then a transformation into administrative form, followed by a closure 
conversion, and a hoisting transformation. All languages considered are subsets 
of the initial one though their evaluation mechanism is refined along the way. In 
particular, one moves from an ordinary substitution to a specialized one where 
variables can only be replaced by other variables. Notable differences with respect 
to [3] is a different choice of the intermediate languages and the fact that we 
rely on a small-step operational semantics. We also diverge from [3] in that our 
proofs, following the usual mathematical tradition, are written to explain to a 
human why a certain formula is valid rather than to provide a machine with a 
compact witness of the validity of the formula. 



Tablel. The compilation chain with its labelling and instrumentation. 



The final language of this compilation chain can be directly mapped to an 
RTL language: functions correspond to assembly level routines and the functions' 
bodies correspond to sequences of assignments on pseudo-registers ended by a 
tail recursive call. 

While the extensional properties of the compilation chain have been well stud- 
ied, we are not aware of previous work focusing on more intensional properties 
relating to the way the compilation preserves the complexity of the programs. 
Specifically, in the following we will apply to this compilation chain the 'labelling 
approach' to building certified cost annotations. In a nutshell the approach con- 
sists in identifying, by means of labels, points in the source program whose cost 
is constant and then determining the value of the constants by propagating the 
labels along the compilation chain and analysing small pieces of object code with 
respect to a target architecture. 

Technically the approach is decomposed in several steps. First, for each lan- 
guage considered in the compilation chain, we define an extended labelled lan- 
guage and an extended operational semantics (upper part of Table [1]). The labels 
are used to mark certain points of the control. The semantics makes sure that 
whenever we cross a labelled control point a labelled and observable transition 
is produced. 

Second, for each labelled language there is an obvious function er erasing all 
labels and producing a program in the corresponding unlabelled language. The 
compilation functions are extended from the unlabelled to the labelled language 
so that they commute with the respective erasure functions. Moreover, the sim- 
ulation properties of the compilation functions are lifted from the unlabelled to 
the labelled languages and transition systems. 

Third, assume a labelling C of the source language is a right inverse of the 
respective erasure function. The evaluation of a labelled source program produces 
both a value and a sequence of labels, say A, which intuitively stands for the 
sequence of labels crossed during the program's execution. The central question 
we are interested in is whether there is a way of labelling the source programs 
so that the sequence A is a sound and possibly precise representation of the 
execution cost of the program. 

To answer this question, we observe that the object code is some kind of 
RTL code and that its control flow can be easily represented as a control flow 
graph. The fact that we have to prove the soundness of the compilation function 
means that we have plenty of information on the way the control flows in the 



compiled code, in particular as far as procedure calls and returns are concerned. 
These pieces of information allow to build a rather accurate representation of 
the control flow of the compiled code at run time. 

The idea is then to perform some simple checks on the control flow graph. 
The main check consists in verifying that all 'loops' go through a labelled node. If 
this is the case then we can associate a 'cost' with every label which overapprox- 
imates the actual cost of running a sequence of instructions. An optional check 
amounts to verify that all paths starting from a label have the same abstract 
cost. If this check is successful then we can conclude that the cost annotations 
are 'precise' in an abstract sense (and possibly concrete too depending on the 
processor considered). 

If the check described above succeeds every label has a cost which in general 
can be taken as an element of a 'cost' monoid. Then an instrumentation of 
the source labelled language is a monadic transformation X (left upper part of 
Table [1]) in the sense of [5] that replaces labels with the associated elements of 
the cost monoid. Following this monadic transformation we are back into the 
source language (possibly enriched with a 'cost monoid' such as integers with 
addition). As a result, the source program is instrumented so as to monitor its 
execution cost with respect to the associated object code. In the end, general 
logics developed to reason about functional programs such as higher-order Hoare 
logic |TT] can be employed to reason about the concrete complexity of source 
programs by proving properties on their instrumented versions. 

We stress that previous work on building cost annotations for higher-order 
functional programs we are aware of does not take formally into account the 
compilation process. For instance, in an early work D. Sands |12j proposes an 
instrumentation of call-by-valuc A-calculus in order to describe its execution cost. 
However the notion of cost adopted is essentially the number of function calls 
in the source code. In a standard implementation such as the one considered in 
this work, different function calls may have different costs and moreover there 
are 'hidden' function calls which are not immediately apparent in the source 
code. In a more recent work, [3J addresses the problem of determining the worst 
case execution time of a a specialised functional language called Hume. The 
compilation chain considered consists in compiling first Hume to the code of an 
intermediate abstract machine, then to C, and finally to generate the assembly 
code of the Resenas M32C/85 processor using standard C compilers. Then for 
each instruction of the abstract machine, one computes an upper bound on 
the worst-case execution time (WCET) of the instruction relying on a well- 
known aiT tool [2] that uses abstract interpretation to determine the WCET of 
sequences of binary instructions. While we share common motivations with this 
work, we differ significantly in the technical approach. In particular, (i) [3J does 
not address at all the proof of correctness of the cost annotations as we do, and 
(ii) the granularity of the cost annotations is fixed in [3J (the instructions of the 
Hume abstract machine) while it can vary in our approach. 

In [1] we have showed that it is possible to produce a sound and precise 
(in an abstract sense) labelling for a large class of C programs with respect 



to a moderately optimising compiler. In the following we show that a similar 
result can be obtained for a higher-order functional language with respect to the 
standard compilation chain described above. Specifically we show that there is a 
simple labelling of the source program that guarantees that the generated object 
code is sound and precise. The labelling of the source program can be informally 
described as follows: it associates a distinct label with every abstraction and 
with every application which is not 'immediately surrounded' by an abstraction. 

In this paper our analysis will stop at the level of an abstract RTL language, 
however our previously quoted work [T] shows that the approach extends to the 
back-end of a typical moderately optimising compiler including, e.g., dead-code 
elimination and register allocation. Concerning the source language, preliminary 
experiments suggest that the approach scales to a larger functional language such 
as the one considered in [3] including sums, exceptions, and side effects. Finally, 
we mention that the approach has also been implemented for a simpler compi- 
lation chain that bypasses the CPS translation. In this case, the function calls 
are not necessarily tail-recursive and the compiler generates a Cminor program^ 

In the following, section [5] describes the certification of the cost-annotations 
and section [3] a method to reason on them. Examples and proofs are available 
in appendices \K\ and IB1 respectively. 

2 The compilation chain: commutation and simulation 

This section describes the intermediate languages and the compilation functions 
from an ordinary A-calculus to a hoisted, administrative A-calculus. For each 
step we check that: (i) the compilation function commutes with the function 
that erases labels and (ii) the object code simulates the source code. 

2.1 Conventions 

The reader is supposed to be acquainted with the A-calculus and its evaluation 
strategics and continuation passing style translations. In the following calculi, 
all terms arc manipulated up to a-renaming of bound names. We denote with = 
syntactic identity up to a-renaming. Whenever a reduction rule is applied, it is 
assumed that terms have been renamed so that all binders use distinct variables 
and these variables are distinct from the free ones. Similar conventions are ap- 
plied when performing a substitution, say [T/x]T\ of a term T for a variable x in 
a term T". We denote with fv(T) the set of variables occurring free in a term T. 

Let C, Ci, C*2, . . . be one hole contexts and T a term. Then C[T] is the term 
resulting from the replacement in the context C of the hole by the term T and 
C\ [C2] is the one hole context resulting from the replacement in the context C\ 
of the hole by the context C2. 

For each calculus, we assume a syntactic category id of identifiers with generic 
elements x, y, . . . and a syntactic category £ of labels with generic elements 



Cminor is a type-free, memory aware fragment of C defined in [7]. 



Syntax 



V ::= id | Xid+.M | (V+) (values) 
M ::= V | @(M, M+) | let id = M in M | (M+) || tt^M) | ^ > M || M > £ (terms) 
E ::=[]| @(V*, E, M*) | let id = £ in M || (V*,E, M*) | ty^E) \ E > £ (eval. cxts.) 

Reduction Rules 

S[@(Aa;i . . . x n .M, V u ... , K)] -> . . . , K/x„]M] 

£[let x = V in Af] ->■ £[[V/:r]M] 

S[jri(Vi,...,V„)] -^S[Vi] l<i<n 

£[l > M] 4 E[M] 

E[V > £] A £[V] 

Label erasure 
er(£ > M) = er(M > I) = er(M) . 

Table2. An ordinary call-by-value A-calculus: A f 



£,£±,... For each calculus, we specify the syntactic categories and the reduc- 
tion rules. We let a range over labels and the empty word. We write M A N if 
M rewrites to N with a transition labelled by a. We abbreviate M A N with 
M -> A. We also define M ^ N as M A N if a = e and as M AAA TV 
otherwise. 

We shall write X + (resp. X*) for a non-empty (possibly empty) finite se- 
quence Xi, . . . , X„ of symbols. By extension, Xx + .M stands for Xxi . . . Xx n .M, 
[V+/x+]M stands for [Vi/xi](- • • [F„/x n ]M • ■ ■ ), and let (x = V)+ in M stands 
for let x-l = V\ in ■ • • let a; n = in M. 



2.2 The source language 

Table [2] introduces a type-free, call-by- value A-calculus. The calculus includes 
let- definitions and polyadic abstraction and pairing with the related application 
and projection operators. Any term M can be pre-labelled by writing <? > M 
or post-labelled by writing A/ > £ In the pre-labelling, the label £ is emitted 
immediately while in the post-labelling it is emitted after M has reduced to a 
value. It is tempting to reduce the post-labelling to the pre-labelling by writing 
M > £ as @(Xx.£ > x, M), however the second notation introduces an additional 
abstraction and a related reduction step which is not actually present in the 
original code. Tablc[5]also introduces an erasure function er from the A -calculus 
to the A-calculus. This function simply traverses the term and erases all pre and 
post labcllings. Similar definitions arise in the following calculi of the compilation 
chain and are omitted. 



2.3 Compilation to CPS form 

Table [3] introduces a fragment of the A -calculus described in Table [5] and a 
related CPS translation. We recall that in a CPS translation each function takes 
its evaluation context as an additional parameter. Then the evaluation context 
is always trivial. Notice that the reduction rules are essentially those of the 
A^-calculus modulo the fact that we drop the rule to reduce V > t since post- 
labelling does not occur in CPS terms and the fact that we optimize the rule 
for the projection to guarantee that CPS terms are closed under reduction. For 
instance, the term let x = 7Ti(Vi,V2) in M reduces directly to [Vi/x]M rather 
than going through the intermediate term let x = V± in M which docs not belong 
to the CPS terms. 

We study next the properties enjoyed by the CPS translation. In general, the 
commutation of the compilation function with the erasure function only holds 
up to call-by-value ^-conversion, namely Xx.@(V,x) = v V if x ^ fv(V)- This is 
due to the fact that post-labelling introduces an ?y-expansion of the continuation 
if and only if the continuation is a variable. To cope with this problem, we 
introduce next the notion of well-labelled term. We will see later (section 13. ip 
that terms generated by the initial labelling are well-labelled. 

Definition 1 (well-labelling). We define two predicates Wi, i = 0, 1 on the 

terms of the X 1 -calculus as the least sets such that W\ is contained in Wq and 
the following conditions hold: 

M G Wq M G Wi 

xeWi M>ieWo \x + .M G Wi 

M G Wj ie{0, 1} N € W ,M £ W t i£{0,l} 
i> M eWi let x = N in M £ Wi 

Mi £ Wo i = l,...,n MiGWo i=l,...,n M £ Wq 

@(Mi, ...,M n )eWi (Mi, . . . , M n ) 6 Wi Tn(M) £ Wi ' 

The intuition is that we want to avoid the situation where a post-labelling 
receives as continuation the continuation variable generated by the translation 
of a A-abstraction. 

Proposition 1 (CPS commutation). Let AI G Wq be a term of the \ l - 
calculus (Table\^). Then: er(C cps (M)) = C cps (er(M)) . 

The proof of the CPS simulation is non-trivial but rather standard since [TP] , 
The general idea is that the CPS translation pre-computes many 'administrative' 
reductions so that the translation of a term, say E[@(Xx.M, V)} is a term of the 
shape @(iP(Xx.M),iP(V),Ke) for a suitable continuation Ke depending on the 
evaluation context E. 

Proposition 2 (CPS simulation). Let M be a term of the X e -calculus. If 
M ^ N then C cps (M) 4- C cps (N). 



Syntax CPS terms 

V ::=id || Xtd+.M || (V+) (values) 

M ::= @(V, V + ) | let id = tt^K) in M\t> M (CPS terms) 

if ::= id \ Xid.M (continuations) 

Reduction rules 

@(Xx 1 ,...,x n .M,V 1 ,...,V n ) -)• [Fi/a:i,...,V„/a!n]M 
let x = Tti(Vi, V„) in M -> [Vi/x]M l<i<n 
I > M 4 M 

CPS TRANSLATION 
1p(x) — X 

tp(Xx + .M) = Xx + ,k.(M : k) 

^(Vl,...,V„) = WVi),...,^(Vn)) 

y : =@(k,lP(V)) 

V:(Xx.M) =[t/j(V)/x]M 

@(Mo, . . . , M B ) : A" = Afo : Xxo- . . . (M« : Aa;„.@(a;o, . . . ,x n , K)) 

let x = Mi in M 2 :K = Mi : Aa;.(M 2 : if) 

(Mi,...,M„) : it" = Mi : Aa:i....(Mft : Aa5 n .(a5i, . . . , x n ) ■ K ) 

in(M) : K — M : Ax. let y = 7Ti(x) in y : K 

(£> M):K =£> (M : K) 

(M >£): K = M : (Xxl > (x : K)) 

Ccps(M) — M : XxM(halt, x), halt fresh 

Table3. CPS A-calculus (X e cps ) and CPS translation 



2.4 Transformation in administrative CPS form 

Table [5] introduces an administrative A-calculus in CPS form: X e cps a . In the or- 
dinary A-calculus, the application of a A-abstraction to an argument (which 
is value) may produce the duplication of the argument as in: @(Xx.M, V) — > 
[V/a;]A/\ In the administrative A-calculus. all values arc named and when we ap- 
ply the name of a A-abstraction to the name of a value we create a new copy of 
the body of the function and replace its formal parameter name with the name 
of the argument as in: 

let y = V in let / = Xx.M in @(f, y) -> let y = V in let / = Xx.M in [y/x]M . 

We also remark that in the administrative A-calculus the evaluation contexts are 
a sequence of let definitions associating values to names. Thus, apart for the fact 
that the values are not necessarily closed, the evaluation contexts arc similar to 
the environments of abstract machines for functional languages. 

Table [5] defines the compilation into administrative form along with a read- 
back translation. The latter is useful to state the simulation property. Indeed, 



Syntax 



V ::= \id + .M \ (id + ) (values) 

B ::= V | iTi(id) (let-bindable terms) 

M ::= id+) | let id = B in M \ l> M (CPS terms) 

-B ::= [ ] I let id = V in _E (evaluation contexts) 

Reduction Rules 

)] -»■ £[[zi/j/i, . . . , z n /y n ]M] if £(a:) = Ayi, . . . )2 /„.M 
E[\et z = TTi(x) in M] — ► E[[ Vi /z]M]] if E(x) = (yi, . . . ,y n ),l < i < n 

E[£> M] A E[M] 

( V ifE = E'[\et x = V in [ ]] 

where: £(x) = i E'(x) if E = £"[let y = V in j }],x ^ y 
I undefined otherwise 



Table4. An administrative CPS A-calculus: A; 



it is not true that if M -)■ M' in \ l cps then C ad (M) A C ad (M') in A^ ps a . For 
instance, consider M = (\x.xx)I where I = (Xy.y). Then M — > II but C a d(M) 
does not reduce to C Q d (//) but rather to a term where the 'sharing' of the du- 
plicated value I is explicitly represented. 

Proposition 3 (AD commutation). Let M be a X-term in CPS form. Then: 

(1) K(C ad (M)) = M. 

(2) er(C ad (M))=C ad (er(M)). 

Proposition 4 (AD simulation). Let N be a X-term in CPS administrative 
form. IfK(N) = M and M A M' then JVAf and TZ(N') = M' . 



2.5 Closure conversion 



The next step is called closure conversion, it consists in providing each functional 
value with an additional parameter that accounts for the names free in the body 
of the function. Following this transformation which is described in Table [6l all 
functional values are closed. In our opinion, this is the only compilation step 
where the proofs are rather straightforward. 

Proposition 5 (CC commutation). Let M be a CPS term in administrative 
form. Then er(C cc (M)) = C cc (er(M)). 

Proposition 6 (CC simulation). Let M be a CPS term in administrative 
form. IfM A M' then C CC (M) 4 C CC (M'). 



Transformation in administrative form (from X e cps to \% s ,a) 

Cad(@(x , ■ ■ ■ ,X n )) = @(X0, . . . ,X n ) 

C ad (@(x*,V,V*)) =S ad {V,y)[C ad {@{x*,y,V))\ V i id, y fresh 

C od (let x = m(y) in M) = let x = m{y) in C a d(M) 

Cad{\et x = TTi(V) in M) = £ ai {y, V)[let x = 7r*(y) in C ad (M)] V / fresh 
C a( ^ > M) = £ > C ad (M) 

£ ad {Xx+.M, y) = let y = \x+.C ad (M) in [ ] 

£ad({x + ),y) = let y = (x+) in [ ] 

£ad((a;*, V, V*), y) = £ a d{V, z)[£ ad ((x*, z, V*), y)] V id, z fresh 

Readback translation (from Ac ps , a to X e cps ) 

TZ(Xx+.M) = Ax+.^(M) 

7e(a: + ) = (x+) 

1Z(@(x,Xl, . . . ,X n )) = @(x,Xi, . . . ,X n ) 

TZ(\et x = m(y) in M) = let x = 7r*(y) in 1Z(M) 
K(\et x = V in M) = [^(l/)/x]^(M) 
7^(^ > M) = £ > TZ(M) 

Table5. Transformations in administrative CPS form and readback 



2.6 Hoisting 

The last compilation step consists in moving all functions definitions at top 
level. In Table [71 we formalise this compilation step as the iteration of a set 
of program transformations that commute with the erasure function and the 
reduction relation. Denote with Xz + .T a function that does not contain function 
definitions. The transformations consist in hoisting (moving up) the definition of 
a function Xz + .T with respect to either a definition of a pair or a projection, or 
another including function, or a labelling. Note that the hoisting transformations 
do not preserve the property that all functions are closed. Therefore the hoisting 
transformations are defined on the terms of the X l cps a -calculus. As a first step, 
we analyse the hoisting transformations. 

Proposition 7 (on hoisting transformations). The iteration of the hoist- 
ing transformation on a term in A^ c a (all function are closed) terminates and 
produces a term satisfying the syntactic restrictions specified in table^ 

Next we check that the hoisting transformations commute with the erasure 
function. 

Proposition 8 (hoisting commutation). Let M be a term of the X l cps a - 

calculus. 

(1) If M N then er(M) ~> er(N) or er(M) = er(N). 

(2) If Mi* ■ then er{M) i> .. 

(3) er(C h (M))=C h (er(M)). 



All functional values are closed. 



Syntactic restrictions on \ cpa , a after closure conversion 



Closure Conversion 
C cc (@(x,y+)) = let z = m(x) in @(z,x,y + ) 

let y = Xz, x + .\et zi = 7r 2 (z), ...,Zk = itk+i(z) in C CC (7V) in 
C cc (let x = B in M) = let a; = (y, zi, . . . , Zk) in 

C CC {M) (if B = Xx+.N, fv(B) = {*i,..., z fe }) 

C cc (let a- = B in M) = let x = B in C cc (Af) (if B not a function) 

Ccc{l >M) =£>C CC (M) 

Table6. Closure conversion on administrative CPS terms 



The proof of the simulation property requires some work because to close the 
diagram we need to collapse repeated definitions. We proceed as follows. First 
we introduce a relation Sh that collapses repeated definitions and show that 
it is a simulation. Second, we show that the hoisting transformations induce a 

'simulation up to Sh - Namely if M —5- M' and M ~> N then there is a N such 
that N — > N and M oSh) N • Third, we iterate the previous property to 
derive the following one. 

Proposition 9 (hoisting simulation). There is a simulation relation Th on 
the terms of the X cps a -calculus such that for all terms M of the X cc a -calculus 
we have M Th Ch{M). 

2.7 Composed commutation and simulation properties 

Let C be the composition of the compilation steps we have considered: 

C = Ch ° C cc o C a d ° C cps . 
We also define a relation TZc between terms in A and terms in X l h as: 

MK C P H3N C cps (M) = TZ(N) and C CC (N) % P 
Note that for all M, M H c C{M). 

Theorem 1 (commutation and simulation). Let M £ Wo be a term of the 
X -calculus. Then: 

(1) er(C(M))=C(er(M)). 

(2) If M Tic N and M ^ M' then N N' and M' 7l c N' . 



Syntactic restrictions on X cpSia after hoisting 
All function definitions are at top level. 

C ::— {id + ) || m(id) (restricted let-bindable terms) 

T ::= @(id, id + ) || let id = C in T || I > T (restricted terms) 
P ::= T | let id = Xid + .T in P (programs) 

Specification of the hoisting transformation 

C h (M) = N if M -» AT t4, where: 

£>::=[] | let id = S in D || let id = Xid + .D in M 1 1 > D (hoisting contexts) 



(hi) D[\et x = C in let y = \z + .T in M] ^ 

D[let y = Az+.T in let x = C in M] if x <£ fv(Az + .T) 

(7i 2 ) -Dflet x = Aw+.let y = Xz+ .T in M in N] ~* 

D[let y = Az + .T in let x = \w + .M in AT] if n fv(A« + .T) = 

(ft 3 ) -D[£ > let y = Az+.T in Af] ~» 
D[let y = Az+.T in ^ > M] 

Table7. Hoisting transformation 



3 Reasoning on the cost annotations 

We describe an initial labelling of the source code leading to a sound and precise 
labelling of the object code and an instrumentation of the labelled source pro- 
gram which produces a source program monitoring its own execution cost. Then, 
we explain how to obtain static guarantees on this execution cost by means of a 
Hoare logic for purely functional programs. 



3.1 Initial labelling 

We define a labelling function C of the source code (terms of the A-calculus) 
which guarantees that the associated RTL code satisfies the conditions neces- 
sary for associating a cost with each label. We set C(M) = Cq(M), where the 
functions £j are specified in Table |S] 

Proposition 10 (labelling properties). Let M be a term of the X-calculus 
and let P = C(M) be its compilation. 

(1) The function £ is a labelling and produces well-labelled terms, namely: 
er(d(M)) = M and &(M) G W t for i = 0, 1. 



(2) We have: P = er(C(C(M))). 



£(M) = Co(M) where: 

Ci(x) = x 

£i{\id + .M) = Aid 4 " .1 > &(M) £ fresh 

&((Mi,...,M n )) = (r (Mi),...,£ (M„)) 
A(irj(M)) =tt 1 (£o(M)) 

A" ((&>( M M+W - /@(^o(M),(£ (M))+) >^t = 0,£ fresh 
£»(let x — M m N) — let as = £o(M) in &(N) 
Table8. A sound and precise labelling of the source code 



(3) Labels occur exactly once in the body of each function definition and nowhere 
else, namely, with reference to Table^ P is generated by the following grammar: 

P ::= T | let id = Xid + .Tlab in P 
Tlab ::= £ > T || let id = C in Tlab 
T ::=@(id,id + )\\et id = C in T 

The associated RTL program is composed of a set of routines which in turn 
is composed of a sequence of assignments on pseudo-registers and a terminal call 
to another routine. For such programs the back end of the moderately optimis- 
ing compiler described in [T| produces assembly code which satisfies the checks 
outlined in the introduction. 



3.2 Instrumentation 

Given a cost monoid M. with identity 1, we assume the analysis of the RTL code 
associates with each label I an element mg of the cost monoid. This element is 
an upper bound on the cost of running the code starting from a control point 
labelled by £ and leading either to a control point without successors or to 
another labelled control point. TableOdescribes a monadic transformation which 
has been extensively analysed in [6] which instruments a program (in our case 
A ) with the cost of executing its instructions. We are then back to a standard 
A-calculus (without labels) which includes a basic data type to represent the cost 
monoid. 



3.3 Higher-order Hoare Logic 

Many proof systems can be used to obtain static guarantees on the evaluation 
of a purely functional program. In our setting, such systems can also be used 
to obtain static guarantees on the execution cost of a functional program by 
reasoning on its instrumentation. 

We illustrate this point using an Hoare logic dedicated to call-by- value purely 
functional programs [llj . Given a well- typed program annotated by logic asser- 
tions, this system computes a set of proof obligations, whose validity ensures the 



[Ax+.M] 
[§(Mo M„)] 



(l,x) 

(l,Ax+.[M]) 

let (m , so) = [M ] ■ • ■ (m„, x„) = [M„], 

(m„+i, X n +l) = @(«o, • ■ • , »n) in 

(m n+ i ■ m„ • • ■ mo, x»+i) 

let (mi,x-i) = [Mi] ■ • ■ (m„,x n ) = [M n ] in 

(m„ ■ ■ ■ mi, (xi, . . . , x n )) 

let (m,x) = [M] in (m,7Ti(x)) 

let (mi,x) = [Mi] in (7712,12) = [M2] in 

(m 2 ■ mi, x 2 ) 

let (m, x) = [M] in (m • m<, x) 
let (m, x) = [M] in (m« • m, x) 



[(Mi,..., MO] 



MM)] 

[let x = Mi in M 2 ] 



V > M] 
\M>1\ 



Table9. Instrumentation of labelled A-calculus. 



correctness of the logic assertions with respect to the evaluation of the functional 
program. 

Logic assertions are written in a typed higher-order logic whose syntax is 
given in Table 1101 From now on, we assume that our source language is also 
typed. The metavariable r ranges over simple types, whose syntax is r ::= 1 \ 
t x r I t — > r where 1 are the basic types including a data type cm for the 
values of the cost monoid. Types are lifted to the logical level through a logical 
reflection [•] defined in Table [TU1 

We write "let x : t/F = M in M" to annotate a let definition by a postcondi- 
tion F of type [>] — > prop. We write "A(xi : T\)/F\ : (x 2 : t 2 )/F 2 . M" to ascribe 
to a A-abstraction a precondition F\ of type \t{\ —5- prop and a postcondition F 2 
of type [ti] x \t^\ — > prop. Computational values are lifted to the logical level 
using the reflection function defined in Table [TQJ The key idea of this definition 
is to reflect a computational function as a pair of predicates consisting in its pre- 
condition and its postcondition. Given a computational function /, a formula can 
refer to the precondition (resp. the postcondition) of / using the predicate pre / 
(resp. post/). Thus, pre (resp. post) is a synonymous for 7Ti (resp. 772). 

To improve the usability of our tool, we define in Table lTUl a surface language 
by extending A with several practical facilities. First, terms are explicitly typed. 
Therefore, the labelling C must be extended to convey type annotations in an ex- 
plicitly typed version of A . The instrumentation I defined in Table [5] is extended 
to types by replacing each type annotation r by its monadic interpretation [r] 
defined by [r] =cm x f~i = 1, n x r 2 = ([n] x [t 2 ]) and n ->• t 2 = n ->■ [t 2 ]. 

Second, since the instrumented version of a source program would be cum- 
bersome to reason about because of the explicit threading of the cost value, we 
keep the program in its initial form while allowing logic assertions to implicitly 
refer to the instrumented version of the program. Thus, in the surface language, 
in the term "let x : t/F = M in M", F has type [frj] — > prop, that is to say a 
predicate over pairs of which the first component is the execution cost. 



Syntax 

True | False | x | F A F \ F = F \ (F, F) (formulae) 
| 7Ti | 7T 2 | \{x :8).F\FF\F^>F\ v(x : 6).F 

prop \ l\6x6\9-*9 (types) 

id | A(id : t) + /F : (id : t)/F.M || (V + ) (values) 

V | @(M, M+) | let id : t/F = M in M I (M+) I tt^M) (terms) 

Logical reflection of types 

M =* 

[n x . . . x r„] = [n] x . . . [t«1 

r-Tt -> t 2 ] = (Tnl ->■ prop) x (fn] x [r 2 ] ->■ prop) 

Logical reflection of values 

[id] = id 
r(Vi,...,K)l = (|Vil,...,|V„l) 
[AOd : n)/Fi : (x a : r 2 )/F 2 . A/] = (Fi,F 3 ) 

TablelO. The surface language. 



Third, we allow labels to be written in source terms as a practical way of 
giving names to the labels introduced by the labelling C. By that means, the 
constant cost assigned to a label £ can be symbolically used in specifications by 
writing costof(^). 

Finally, as a convenience, we write u x : t/F" for u x : r/A(cost : cm, 2 : 
|~[t]~| ).F" . This improves the conciseness of specifications by automatically al- 
lowing reference to the cost variable in logic assertions without having to intro- 
duce it explicitly. 

3.4 Prototype implementation 

We implemented a prototype compiler [13] in OCaml (~ 3.5Kloc). This compiler 
accepts a program P written in the surface language extended with fixpoint and 
algebraic datatypes. Specifications are written in the Coq proof assistant [5]. A 
logic keyword is used to include logical definitions written in Coq to the source 
program. 

Type checking is performed on P and, upon success, it produces a type 
annotated program P t . Then, the labelled program Pi = £{Pt) is generated. 
Following the same treatment of branching as in our previous work on imperative 
programs [T], the labelling introduces a label at the beginning of each pattern 
matching branch. 

By erasure of specifications and type annotations, we obtain a program P\ 
of A (Table [5]). Using the compilation chain presented earlier, Pa is compiled into 
a program P^ of Xh, a (Table [7]) . The annotating compiler uses the cost model 
that consists in counting for each label £ the number of primitive operations that 



F ::= 

6 ::= 

V ::= 

M ::= 



belong to execution paths starting from I (and ending in another label or in an 
instruction without successor). 

Finally, the instrumented version of Pi as well as the actual cost of each label 
is given as input to a verification condition generator to produce a set of proof 
obligations. These proof obligations are either proved automatically using first 
order theorem provers or manually in Coq. 

3.5 Example 

Let us consider an higher-order function pexists that looks for an integer x 
in a list / such that x validates a predicate p. In addition to the functional 
specification, we want to prove that the cost of this function is linear in the 
length n of the list I. The corresponding program written in the surface language 
can be found in Table [TT] 

A prelude declares the type and logical definitions used by the specifications. 
On lines 1 and 2, two type definitions introduce data constructors for lists and 
booleans. Between lines 4 and 5, a Coq definition introduces a predicate bound 
over the reflection of computational functions from not to not x bool that ensures 
that the cost of a computational function p is uniformly bounded by a constant k. 

On line 9, the precondition of function pexists requires the function p to be 
total. Between lines 10 and 11, the postcondition first states a functional specifi- 
cation for pexists: the boolean result witnesses the existence of an element x of 
the input list I that is related to BTrue by the postcondition of p. The second 
part of the postcondition characterizes the cost of pexists in case of a negative 
result: assuming that the cost of p is bounded by a constant k, the cost of pexists 
is proportional to k.n. 

The verification condition generator produces 53 proof obligations out of this 
annotated program; 46 of these proof obligations are automatically discharged 
and 7 of them are manually proved in Coq. 

4 Conclusion 

We have shown that the so-called 'labelling' approach can be used to obtain 
certified execution costs on functional programs. In a realistic implementation 
of a functional programming language though, the runtime environment usually 
includes a garbage collector. The execution cost of such an automatic memory 
deallocation algorithm is a priori proportional to the size of the heap, which is 
not a sufficiently precise bound for practical use. An accurate static tracking of 
memory allocation, following region based or linear logic approaches, would be 
necessary to get relevant worst-case execution costs for memory deallocation. 

Acknowledgements We are indebted to our Master students Guillaumc Claret 
and David GiRON for their implementation effort which provided valuable feed- 
back. This work was supported by the Information and Communication Tech- 
nologies (ICT) Programme as Project FP7-ICT-2009-C-243881 CerCo. 



01 type list = Nil | Cons (nat, list) 

02 type bool = BTrue | B False 

03 logic { 

04 Definition bound (p : nat — > (nat x bool)) (k : nat) : Prop : = 

05 V x m : nat, V r : bool, post p x (m, r) =>■ m < k. 

06 Definition kO : = costof(-£ m ) + costof(^ n j;). 

07 Definition kl : = costof(£ m ) + costof(£ p ) + costof(4) + costof(^) + costof(^ r ). 

08 } 

09 let rec pexists (p : nat — > bool, I: list) { V x, pre p x } : bool { 

10 ((result = BTrue) «(3xc: nat, mem x I A post p x (c, BTrue))) A 

11 (V k: nat, bound p k A (result = BFalse) => cost < kO + (k + kl) x length (I)) 

12 } = £ m > match I with 

13 | Nil -)■ £ nil > BFalse 

14 | Cons (x, xs) — > £ c > match p (x) > £ p with 

15 | BTrue — > BTrue 

16 | BFalse — ¥ ij> (pexists (p, xs) > £ r ) 



Tablell. An higher-order function and its specification. 
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A Examples 

This section collects some examples. 

Example 1 (labelling and commutation). Let M = Xx.xx > £. Then M £ Wq 
because the rule for abstraction requires xx > I £ W\ while we can only show 
xx > £ £ Wq. Notice that we have: 

er(C cps {M)) = @(halt,Xx,kM(x,x,XxM(k,x))) 
C cps (er(M)) = @(halt,Xx,kM(x,x,k)) . 

So for M the commutation of the cps-compilation and the erasure function only 
holds up to n. 

Example 2 (CPS). Let M = @(Xx.@(x, @(x, x)), I), where I = Xx.x. Then 

C cps (M) = @(Xx, k.@(x, x, XyM(x, y, k)), l',H)) 

where: /' = Xx,kM(k,x) and H = Xx.@(halt,x). The term M is simulated by 
C cps {M) as follows: 

M -> @(J, ©(/,/)) I 
C cps (M) -> @(I',I',XyM(I',y,H)) @(I',I',H) -++ @(halt,I>) . 

Example 3 (administrative form) . Suppose TV = @(Xx, k.@(x, x, Xy.@(x, y, k)), I', H)) 
where: I' = Xx, k.@(k, x) and H = XxM(halt, x) (this is the term resulting from 
the CPS translation in example [2]). The corresponding term in administrative 
form is: 

let z\ = Xx,k.\et z 2 = Xy.@(x,y,k) in @(x, x, z<x) in 
let 2:3 = V in 
let z 4 = H in 

@(z 1 ,z 3 ,z 4 ) ■ 

Example 4 (closure conversion) . Let M = C a d(C cps (Xx.y)), namely 

M = let zi = Xx,kM(k,y) in @(ftaft,Zi) . 

Then C CC (M) is the following term: 

let Z2 = Xz, x, fc. let y = 7^(2) in let z = ni(k) in @(z, k, y) in 

let zi = (z 2 ,y) in 

let z = Tri(halt) in @(z, ZiaZi, z\) . 

Example 5 (hosting transformations and transitions) . Let M = let X\ = Xyi.N in @{x\, z) 
where N = let x 2 = Xy 2 .T 2 in I\ and yi ^ fv(Xy 2 .T 2 ). Then we either reduce 
and then hoist: 

M -» let xi = Xyi.N in [z/yi]N 

= let xi = Xyi.N in let .t 2 = Xy 2 .T 2 in [z/yi]Ti 

~> let x 2 = Xy 2 .T 2 in let x\ = Xy\.T\ in let x 2 = Xy 2 .T 2 in [z/z/i]Ti 



or hoist and then reduce: 

M ~> let a; 2 = Xy 2 .T 2 in let xi = Xyx.T\ in @(xi,z) 
-» let x 2 = Xy 2 .T 2 in let x\ = Ayi.Ti in [z/yi]Ti -/> 

In the first case, we end up duplicating the definition of x 2 . 

Example 6 (labelling application). Let M = Xx.@(x,@(x,x)). Then C(M) = 
Xx.io > @(x,@(x,x) > Notice that only the inner application is post- 
labelled. 

B Proofs 

This section collects the proofs of the results we have stated. 

B.l Proof of proposition [TJ [CPS commutation] 

The proof takes the following steps: 

1. We remark that if V is a value in A and K a continuation in X cps then so 
are er{V) and er(K). The proof is a direct induction on the structure of V 
and K, respectively. 

2. For all values V and terms M of the A^-calculus, we check that: 

er{[V/x]M) = [er(V)/x]er(M) . 

The proof proceeds by induction on the structure of AI . 

3. We notice that for all continuations K such that K is an abstraction, Xx.(x : 
K) = K. 

4. For all terms M and continuations K such that either M £ Wo and K is an 
abstraction or M € W\ the following holds: 

er(M : K) = er(M) : er{K) . 

We proceed by induction on M. 

x We expand the definition of x : K depending on whether if is a variable 
or a function and we rely on step 2. 

\x + .M We have Xx + .M € Wi and M 6 Wi. We analyse \x + M : K 
depending on whether if is a variable or a function and we apply the 
inductive hypothesis on M and step 2. Notice that it is essential that 
M £ W\ to apply the inductive hypothesis. 

@(M ,...,M„) We know M ,...,M n € Wo- We apply the inductive hy- 
pothesis on M n , . . . , Mo to conclude that: 

er(@(M ,...,M„)) : er{K) 

= er(Mo) ■ Xxo er(M„) : Xx n M(x , ■ ■ ■ ,x„, er(K)) 

= er(M ) : Xx er(M n : Xx n M(x , . . . ,x n , K)) 

= er(Mo ■ Xxo M n : Ax„.@(x , . . . ,x n ,K)) 

= er(@(M ,...,M N ):K) . 



I > M We know that if i > M £ Wi then M £ Wi and we apply the 

inductive hypothesis on M. 
M > I By definition, we must have M > I £ Wo . Hence A is a function and 

M £ Wo- Then we apply the inductive hypothesis on M and step 3. 
(Mi, . . . , M n ) We know that M, £ Wo for i = 1, . . . , n. First we notice that: 

er(Ax„.(xi, . . . ,x„) : If) = Xx n .(xi, ...,x n ) : er(K) . 

Then we apply the inductive hypothesis on M„, . . . , Mo to conclude that: 

er((Mi,...,M„)) : er(K) 

= er(Mi) : Xxx . . . er(M n ) : Xx n .(x 1 ,. . . ,x n ) : er(K) 
ee er(Mi) : Xxi . . . er(M n ) : er(Ax„.(xi, ...,x n ):K) 
= er(Mi) : Xxi . . . er(M„ : Ax„.(xi, . . . ,x n ) : K) 

= er(Mi : Xxi . . . M n : Xx n .{x\, . . . , x n ) : K) 
ee er((M u ...,M n ):K) . 

TTi(M) We know M £ Wq. We observe that er(y : K) = y : er(K). Then we 
apply the inductive hypothesis on M to conclude that: 

er(-Ki(M)) : er(K) 

ee %i(er{M)) : er(K) 

ee er(M) : Ax. let y = 7T,(x) in y : er(K) 

ee er(M) : er(Ax.let y = ^(x) in j/ : K) 

ee er(M : Ax. let y = 7Tj(x) in y : A") 

ee er(7Ti(M) : K) . 

let x = N in M If let x = N in M £ then we know N £ Wo and M £ W 4 . 
We apply the inductive hypothesis on N and M to conclude that: 

er(let x = N in M : A") 
ee er(iV : Ax.(M : A)) 
ee er(iV) : Ax.er(M : A) 
ee er(N) : Xx.er(M) : er(K) 
ee er(let x = N in M) : er(A) . 

5. Then we prove the assertion for M £ Wo as follows: 

er(C cps (M)) ee er(M : Xx.@(halt,x)) (by definition) 
ee er(M) : Xx.@(halt,x) (by point 4) 
ee C cps (er(M)) (by definition). 

□ 

B.2 Proof of proposition [2] [CPS simulation] 

The proof takes the following steps. 



1. We show that for all values V, terms M, and continuations K ^ x: 



We proceed by induction on M. 

variable By case analysis: M = x or M = y ^ x. 

Xz + .M By case analysis on K which is either a variable or a function. We 
develop the second case with K = Xy.N. We observe: 



[V/x]{Xz+.M) : [ip(V)/x]K 

= [Xz+,k.([V/x]M : k)/y][i)(V)/x]N 

= [Xz+,k.[i(}(V)/x](M : k)/y][ip(V)/x]N 

= [i)(V)/x][Xz+,k.(M : k)/y]N 

= [i}(V)/x]((Xz+.M) : K) . 



@(Mq, . . . , M n ) We apply the inductive hypothesis on Mq, . . . , M n as fol- 
lows: 



[il>(y)/x](@(M ,...,M n ):K) 

= [i>{V)/x]{M Q : Xx Q ...M n : Xx n M(x , . . . ,x n , K)) 

= [V/x]M :Xx ... ty(V)/x](M n : Xx K)) 
= [V/x]M :Xx ... [V/x]M n : Xx n M(x , ...,x n , [^{V)/x]K) 
ee [V/x]@{M , . . . , Mn) : [i>{V)/x]K . 



Note that in this case the substitution [ip(V)/x] may operate on the 
continuation. The remaining cases (pairing, projection, let, pre and post 
labelling) follow a similar pattern and are omitted. 
2. The evaluation contexts for the A £ -calculus described in table [2] can also be 
specified 'bottom up' as follows: 



E::=[]\E[@{V*,[],M*)] \ E[\et id = [ } in M] \ E[(V*,[],M*)] \ 
E[n t ([])]\E[[}>£}. 



Following this specification, we associate a continuation Ke with an evalu- 
tion context as follows: 



Ke[®(v*,1],m*)] =Xx.M* :Xy*M(ip(V)*,x,y*,K E ) 

KE[\et x=\ ] in N] = Xx.N : K E 

K E [(v*,l ],«•)] = Ax.M* : Xy*.(i>(V)*,x,y*) : K E 



where M* : Xx* .N stands for M a : Xx ■ ■ ■ M n : Xx„.N with n > 0. 
3. For all terms M and evaluation contexts E, E we prove by induction on the 
evaluation context E that the following holds: 



[V/x]M : [iP{V)/x]K 



ty{V)/x]{M:K) . 



Xx.@{halt,x) 




Ax. let y = TTi(x) in y : Ke 
Xx.l > x : Ke 



E[M] : K E ' ee M : K E . m . 



For instance we detail the case the context has the shape E[@(V* , [ ], M*). 



E[@{V*, [M],M*) : K 



= M : Xx.M* : \x*M(4>(V)*,x,x*,K E , [E] ) 
= M : K E i[ E [@(y,[ },M*)]] • 



4. For all terms M, continuations K,K', and variable x £ fv(M) we prove by 
induction on M and case analysis that the following holds: 



5. Finally, we prove the assertion by proceeding by case analysis on the reduc- 
tion rule. 



- E[@(\x+.M,V + )} -> E[[V + /x+]M]. We have: 



E[@(\x+.M,V+)] : K { j 

= @(\x+.M, V+) : K E 

= @(\x+, k.M : k, ^{V)+, K E ) 

— » [K E /k,tp(V) + /x + ](M : k) 

= [K E /k]([V/x]M : k) 

A [V/x]M : K E 



ee E[[V/x]M] :K {] . 
- E[\et x = V in M] -> E[[V/x]M\. We have: 



£[let x = V in M] : K { ] 
EE let x = V in M : K E 
ee V : \x.{M : K E ) 
ee [if)(V)/x](M : Ke) 
ee [V/x]M : K E 
ee E[[V/x]M] :K {] . 



- E[m(V)} -> E[Vi\, where V = (V lt . . . , V„) and 1 < i < n. We have: 



= 7n(V) :K E 

ee V : Ax. let y = ~Ki(x) in y : Ke 

= let y = TTi(ip(Vi), . . .,ip(V n )) in y : K E 

-> MVi)/y}(y:KE) 

ee V, : K E 

ee E[Vi\ :K {] . 



- E[£ > M] A E[M}. We have: 



E[£ > M] : K { j 
= £> M : K E 
eeI> (M : K E ) 

4 (M : K E ) 
ee E[M] :K {] . 



ee@(V*,[M],M*):Ke, [e] 



(by inductive hypothesis) 




- E[V > I] 4 E[V}. Wc have: 



E[V >£}:K [] 
= V > I : K E 
ee V : \x.£ > x : K E 
= e>(V:K E ) 

4^ :K E 

ee E[V] :K {] . 



B.3 Proof of proposition [3] [AD commutation] 

(1) Wc show that for every P which is cither a term or a value of the \ cps - 
calculus the following properties hold: 

A If P is a term then K(C ad (P)) = P. 

B If P is a value then for any term N, K{£ ad (P, x)[N}) = [P/x]TZ(N). 

We prove the two properties at once by induction on the structure of P. 
@(x, x + ) We are in case A and by definition we have: 

TZ{C ad (@(x,x+))) ee TZ(@(x,x+)) ee @(x,x+) . 
@(x*, V, V*), V ^ id Again in case A. We have: 

K(C ad (@(x*,V,V*))) 

= n(£ ad (V,y)[C ad (@(x*,y,V*))]) 

= [V/y]1l(C ad (@(x*,y, V*))) (by ind. hyp. on B) 

— [V/y]@(x*,y, V*) (by ind. hyp. on A) 

EE @( X *,V,V*) . 

let x = ni(z) in M Again in case A. We have: 

TZ(C ad (\et x = TTi(z) in M)) 
ee 1l(\et x = TTi(z) \nC ad (M)) 
= \et x = 7T l (z) \nK(C ad {M)) 

ee let x = iTi(z) in M (by ind. hyp. on A) . 

let x = TTi(V) in M, V ^ id Again in case A. We have: 

K{C ad (\et x = Tn(V) in M)) 

ee K{£ad(V,y)[\et x = ^(y) in C ad (M)]) 

ee [V/y}K(\et x = n t (y) in C ad {M)) (by ind. hyp. on B) 

ee [V/y]\et x = 7n(y) in U(C ad (M)) 

ee [V/y]let x = TTi(y) in M (by ind. hyp. on A) 

ee let x = m(V) in M . 



I > M Last case for A. We have: 

K(C ad (e > M)) 

= n{i>c ad {M)) 

= e>K(C ad (M)) 

= l > M (by ind. hyp. on A) . 

Xy + .M We now turn to case B. We have: 

n(E ad (Xy+.M,x)[N}) 
= n(\etx = \y+.e ad {M) in N) 
= [U(Xy+.C ad (M))/x}n(N) 
= [\y+.K{C ad {M))/x]K{N) 

= [\y + .M / x]K{N) (by ind. hyp. on A) . 

(y + ) Again in case B. We have: 

n(£ ad ((y+),x)[N]) 
= 7e(let x = in N) 
= i(y+)/x]K(N) . 

(y*, V, V*), V ^ id Last case for B. We have: 

1Z(£ ad ((y*,V,V*),x)[N]) 

= n(£ ad {V, z)[£ ad ((y*,z, V*), x)[N}]) 

= [V/z]K(£ ad ((y*,z,V*),x)[N}) (by ind. hyp. on B) 

= [V/z]([(y*,z,V*)/x]1l(N)) (by ind. hyp. on B) 

= [(y*,V,V*)/x]TZ(N) . 



(2) The proof is similar to the previous one. We show that for every P which is 
either a term or a value of the A^ ps -calculus the following properties hold: 

A If P is a term then er(C ad (P)) = C ad (er{P)). 

B If P is a value then for any term N, er(£ ad {P,x)[N}) = £ ad {er{P), x)[er(N)]. 

We prove the two properties at once by induction on the structure of P. 

@(x, x + ) We are in case A and by definition we have: 

er(C ad {@(x, x+))) = er(@(x, x+)) = @{x, x+) = C ad (er(@(x, x + ))) . 

@(x*, V, V*), V ^ id Again in case A. We have: 

er(C ad (@(x*,V,V*))) 

= er{£ ad {V,y)[C ad {@{x*, yi V*))]) 

= £ ad (er(V),y)[er(C ai (®(x*,y,V*)))] (by ind. hyp. on B) 
= £ ad (er(V),y)[C ad (er(@(x*,y,V*)))} (by ind. hyp. on A) 
= C ad (er(@(x*,V,V*))) . 



let x = iri(z) in M Again in case A. We have: 

er(C ad (\et x = tt,(z) in M)) 
= er(let x = m(z) in C ad {M)) 
= let x = 7Ti(z) in er(C ad (M)) 

= let .x = iTi(z) in C a( j(er(M)) (by ind. hyp. on A) 
= C ad (er(\et x = m(z) in M)) . 

let x = 7Ti(V) in M, 1/ ^ id Again in case A. We have: 

er(C ad (\et x = n(V) in M)) 

= er{£ ad (V, z)[\et x = tt^z) in C ad {M)\) 

= £ ad (er(V),z)[\et x = m(z) in er(C Qd (M))] (by ind. hyp. on B) 
ee £ od (er(V),z)[let x = 7r,(z) in C ad (er(M))} (by ind. hyp. on A) 
= C ad (er(\et x = TTi(V) in M)) . 

I > M Last case for A. We have: 

er{C ad {£>M)) 
= er(£>C ad (M)) 
ee er(C ad (M)) 

ee C ad (er(M)) (by ind. hyp. on A) 
= C ad (er(£>M)) . 

Xy + .M We now turn to case B. We have: 

er{£ ad {\y+.M,x)[N]) 

ee er(let x = Xy + .C ad (M) in AT) 

ee let x = Xy + .er(C ad (M)) in er(N) 

ee let .x = Xy+ .C a d{er(M)) in er^A^) (by ind. hyp. on A) 

= £ ad {er (Xy+.M), x)[er(N)} . 

(y + ) Again in case B. We have: 

er(£ ad ((y+),x)[N}) 
ee er(let x = (y + ) in N) 
ee let x = (y + ) in er(N) 
= £ad{er((y + )),x)[er{N)] . 

(y*, V,V*),V ^ id Last case for B. Wc have: 

er(£ ad ((y*,V,V*),x)[N]) 

ee er(£ ad (V, z)[£ ad ((y*,z, V*),x)[N}]) 

= £ ad (er{V),x) [er(£ ad ((y* ,z,V*),x)[N] )] (by ind. hyp. on B) 
= £ ad {er(V),x)[£ ad (er{{y*,z,V*)),x)[er(N)}} (by ind. hyp. on B) 
= £ ad (er((y*,V,V*)),x)[er(N)] . 

□ 



B.4 Proof of proposition [4] [AD simulation] 

First we fix some notation. We associate a substitution a E with an evaluation 
context E of the A^ ps a -calculus as follows: 

<7[ ] = Id (T| et X=V in£= [R-(V) / x] O CT E . 

Then we prove the property by case analysis. 

- If K(N) = @(Xy+.M,V+) -> [V+/y+]M then N = E[@(x, x+)], a E (x) = 
Xy+.M, and a E (x+) ee V+ . 

Moreover, E = E ± [\et x = Xy+.M' in E 2 \ and a El (Xy+ .M') = Xy+.M. 

Therefore, N -> E[[x+ /y+] M'} = N' and we check that Tl(N') = a E ([x+ /y+]M') = 

[V+/y+]M. 

- If K(N) = let x = ni((Vi, V n )) in M -> [V^/^M then iV = E[\et x = 
7T t (y) in N"], a E (y) = (V u ■ ■ .,V n ), and a E {N") = M. 

Moreover, E = E x [\et y = (zi, . . . , z n ) in E 2 \ and a El {z\ , . . . , z n ) = (Vi, . . . , V n ). 
Therefore, N E[[zi/x]N"} = N' and we check that TZ(N') = a E {[z t / x]N") = 
[Vi/x]M. 

- If 1Z(N) = I > M A M then N = E[i > N"] and a E {N") = M. We 
conclude by observing that N A E[N"]. □ 

B.5 Proof of proposition \5\ [CC commutation] 

This is a simple induction on the structure of the term M. 
@(x, y+) We have: 

er(C cc (@{x,y+))) 
= er(let z = n\(x) in @(z, x,y+)) 
= let z = tti(x) in @(z, x, y+) 
= C cc (@(x,y+)) 
= er(C cc (@(x,y+))) . 
let x — B in M, B not a function We have: 

er(C cc (\et x = B in M)) 

= er(let x = B in C CC (M)) 

= let x = B in er(C cc (M)) 

= let x = B in C cc (er(M)) (by ind. hyp.) 

= C cc (er(let x = B in M)) . 

let x = Xx+.N in M,fv(Xx+.N) = {z x , ...,z k } We have: 

er(C cc (\et x = Xx+.N in M)) 

ee er( let y = Az,x+.let z x = 7^(2), . ..,2fc = 7r fc+ i(z) in C CC (N) in 

let x = (y, zi, . . . , z k ) in C CC (M) ) 
ee let y= Az,x+.let z\ = 7r 2 (z), ...,% = 7r fe+ i(z) in er(C cc (N)) in 

let x = (y, zi, . . . , Zfc) in er(C cc (M)) 
= let y = A2, x+.let z\ = 7r 2 (z), .. .,z k = 7r fe+ i(z) in C cc (er(A^)) in 

let x = (jy, Zfc) in C cc (er(Af)) (by ind. hyp.) 

ee C cc (er(\et x = Xx+.N in M)) . 



t > M We have: 

er(C cc (£ > M)) 
= er{£ > C CC (M)) 
= er(C cc {M)) 

= Ccc{er(M)) (by hid. hyp.) 

= C cc (er(£ > A/)) . 

□ 

B.6 Proof of proposition [6] [CC simulation] 

As a first step we check that the closure conversion function commutes with 
name substitution: 

C cc ([x/y]M) = [x/y}C cc (M) . 

This is a direct induction on the structure of the term M . Then we extend the 
closure conversion function to contexts as follows: 

Ml) =[] 

C cc (let x = (y+) in E) = let x = (y+) in C CC (E) 

C cc (let x = Xx + .M in E) = let y = Xz, x + .\et z\ = 1^2(2), ■ ■ ■ , %k = ffc+i ( z ) in C CC (M) in 

let x = (y,zi, ...,Zk) in C CC (E) 
where: fv(\x + .M) = . . . , z^} . 

We note that for any evaluation context E, C CC (E) is again an evaluation context, 
and moreover for any term M we have: 

C CC (E[M])=C CC (E)[C CC (M)} . 

Finally we prove the simulation property by case analysis of the reduction rule 
being applied. 

- Suppose M = E[@(x,y+)} -> E[[y+ /x+]M] where E(x) = Xx+.M. Then: 

C cc (E[@(x,y)])=C cc (E){\etz = T n (z) in @(z,x,y+)} 
with C cc (E)(x) = (y, z\, . . . , z k ) and 

C cc {E){y) = Xz, x + .\et z\ = 7r 2 (z), ...,Zk = 7r fe+ i(z) in C CC (M). Therefore: 

C cc {E)[\et z = n 1 (z) in @(z,x,y+)} 
^C cc (E)[@(y,x,y+)} 

^C cc (E)[\et z 1 =TT2{x),...,z k =-Kk+i{x) in [y+ /x+]C cc (M)] 
^C cc (E)[[y + /x+]C cc (M)] 

= C CC (E)[C cc ([y + / x + ]M)] (by substitution commutation) 
= C cc (E[[y+/x+]M}) . 

— Suppose M = E[\et x = ^(y) in M] —> E[[zi/x]M] where E{y) = (zi, . . . , z k ), 
1 < i < k. Then: 

C cc (E[\et x = Tn(y) in M]) = C cc (E)[\et x = 7r<(y) in C CC (M)} 



with C cc (E)(y) = (zi, . . . , z k ). Therefore: 



C cc (E)[\et x = TTi(y) in C, 
-> C cc (E)[[zi/x]C cc (M)] 
= C cc (E)[C cc ([ Zi /x]M)} 
= C cc {E[[ Zi /x]M\) . 



CC 



(M)] 



(by substitution commutation) 



Suppose M = E[i > M] A E[M] 



Then: 



C CC {E[£>M}) 

= C CC (E)[C CC {£ > M)] 

= C CC {E)[£>C CC {M)] 



A C CC (E)[C CC (M)} 
= C CC {E[M]) . 



□ 



B.7 Proof of proposition [7] [on hoisting transformations] 

As a preliminary remark, note that the hoisting contexts D can be defined in an 
equivalent way as follows: 



If D is a hoisting context and a; is a variable we define D(x) as follows: 



The intuition is that D{x) checks whether D binds x to a simple function Xz + .T. 
If this is the case it returns the simple function as a result, otherwise the result 
is undefined. 

Let I be the set of terms of the \ cps a such that if M = D[\et x = Xy + .T in N] 
and z G fv(Xy + .T) then D(z) = Xz + .T' . Thus a name free in a simple function 
must be bound to another simple function. We prove the following properties: 

1. The hoisting transformations terminate. 

2. The hoisting transformations are confluent (hence the result of the hoisting 
transformations is unique). 

3. If a term M of the X cps a -calculus contains a function definition then M = 
D[let x = Xy+.T in N] for some D, T, N. 

4. All terms in X cc a belong to the set / (trivially). 

5. The set I is an invariant of the hoisting transformations, i.e., if M 6 I and 
M ~> N then N e I. 

6. If a term satisfying the invariant above is not a program then a hoisting 
transformation applies. 



£>::=[] | D[\et x = B\n[]]\ D[\et x = Xy + .[ ] in M] \ D[£ > [ 




if D = D'[let x = Xz+.T in [ ]] 
o.w. if D = D'[let y = S in [ ]},x 7^ y 
o.w. if D = D'[\et y = Xy+ .[ ] in M],x i {y+} 



(1) To prove the termination of the hoisting transformations we introduce a size 
function from terms to positive natural numbers as follows: 

\@(x,x+)\ =1 

let x = Xy+.M in N\ = 2 • |M| + |JV| 

let x = C in iV| =2-\N\ 
\£>N\ =2-\N\ . 

Then we check that if M ~> TV then \M\ > \N\. Note that the hoisting context 
D induces a function which is strictly monotone on natural numbers. Thus it 
is enough to check that the size of the redex term is larger than the size of the 
reduced term. 

(hi) 

| let x = C in let y = Xz+.T in M| 
= 2 • (2 • |T| + |Af |) 
>2-|T| + 2-|M| 

= | let y = Xz+.T in let x = C in M| . 

(M 

| let x = Aw+.let y = Xz+.T in M in N\ 

= 2 • (2 • \T\ + \M\) + \N\ 

> 2- |T| + 2 ■ |M| + |JV| 

= | let y = Xz+.T in let x = Xw+ M in JV| . 

(h 3 ) 

\t > let y = Xz+.T in M\ 

= 2 • (2- |T| + |M|) 

> 2 • |T| + 2 • |M| 

= | let y = Xz+.T in t > M\ . 

(2) Since the hoisting transformation is terminating, by Newman's lemma it 
is enough to prove local confluence. There are 9 = 3-3 cases to consider. In 
each case one checks that the two redexes cannot superpose. Moreover, since 
the hoisting transformations neither duplicate nor erase terms, one can close the 
diagrams in one step. 

For instance, suppose the term D[\et x = Aw + .let y = Xz+.T in M in N] 
contains a distinct redex A of the same type (a function definition containing a 
simple function definition). Then the root of this redex can be in the subterms 
M or N or in the context D. Moreover if it is in D, then either it is disjoint 
from the first redex or it contains it strictly. Indeed, the second let of the second 
redex cannot be the first let of the first redex since the latter is not defining a 
simple function. 

(3) By induction on M. Let F be an abbreviation for let x = Xy+ .T in N 
@(x,x+) The property holds trivially. 



let y = C in M Then M must contain a function definition. Then by inductive 

hypothesis, M = D'[F]. We conclude by taking D = let y = C in D. 
let y = Xx+ .M' in M If M is a restricted term then we take £)=[]. Otherwise, 

M' must contain a function definition and by inductive hypothesis, M' = 

D'[F}. Then we take D = \ety = Xx+.D' in M. 
£ > M Then M contains a function definition and by inductive hypothesis M = 

D'[F]. Wc conclude by taking D = £ > D'. 

(4) In the terms of the X e cc a calculus all functions are closed and therefore the 
condition is vacuously satisfied. 

(5) We proceed by case analysis on the hoisting transformations. 

(6) We proceed by induction on the structure of the term M. 

@(x,y+) This is a program. 

let x = B in M' There are two cases: 

— If M' is not a program then by inductive hypothesis a hoisting transfor- 
mation applies and the same transformation can be applied to M. 

— If M' is a program then it has a function definition on top (otherwise 
M is a program). Because M belongs to I the side condition of (hi) is 
satisfied. 

let x = Xy + .M' in M" Again there are two cases: 

— If M' or M" are not programs then by inductive hypothesis a hoisting 
transformation applies and the same transformation can be applied to 



— Otherwise, M' is a program with a function definition on top (otherwise 
M is a program). Because M belongs to I the side condition of (h 2 ) is 
satisfied. 

i > M' Again there are two cases: 

— If M' is not a program then by inductive hypothesis a hoisting transfor- 
mation applies and the same transformation can be applied to M. 

— If M' is a program then it has a function definition on top (otherwise M 
is a program) and (/13) applies to M. □ 

B.8 Proof of proposition \S\ [hoisting commutation] 

As a preliminary step, extend the erasure function to the hoisting contexts in 
the obvious way and notice that (i) if D is a hoisting context then er(D) is a 
hoisting context too, and (ii) er(D[M}) = er(D)[er(M)]. 

(1) We proceed by case analysis on the hoisting transformation applied to M. 
The case where er(M) = er(N) arises in (/13): 



M. 



D[£ > let x = Xy+.T in M] 
er(D[£ > let x = Xy+.T in M]) 



^> D[\et x = Xy+.T in £ > M] 
ee er(D[let x = Xy+.T \r\£> M]) 



(2) We show that er(M) ~> entails that M Since er(M) has no labels, either 
(hi) or (/12) apply. Then M is a term that is derived from er(M) by inserting 
(possibly empty) sequences of pre-labelling before each subterm. We check that 
either the hoisting transformation applied to er(M) can be applied to M too or 
(/13) applies. 

(3) If C h (M) = N then by definition we have M N j*. By (1) er(M) ^* 
er(iV), and by (2) er(N) </►. Hence C fe (er(M)) = er(N) = er(C h (M)). □ 

B.9 Proof of proposition [9] [hoisting simulation] 

Definition 2. A (strong) simulation on the terms of the X £ cps a - calculus is a 
binary relation R such that if M R N and M — ► M' then there is N' such that 
JVAff' and M' R N' . 

Definition 3. A (pre-) congruence on the terms of the X e cps a -calculus is an equiv- 
alence relation (a pre-order) which is preserved by the operators of the calculus. 

Definition 4. Let ~ be the smallest congruence on terms of the \ cps a -calculus 
which is induced by structural equivalence and the following commutation of let- 
definitions: 

let x\ = Vi in let x 2 = V2 in M ~ let x-i = V2 in let x\ = Vi in M 

where: x\ ^ x 2 ,xi fv(V 2 ),x 2 £ fv(Vi). 

The relation ~ is preserved by name substitution and it is a simulation. 

Definition 5. Let >: the smallest pre- congruence on terms of the \ cps a -calculus 
which is induced by structural equivalence and the following collapse of let- 
definitions: 

let x = V in let x = V in M ~ let x = V in M 
where: x <fc fv(V). 

The relation >^ is preserved by name substitution and it is a simulation. 

Definition 6. Let St be the relation ~ o y. 

Note that Sh is a simulation too. Then we can state the main lemma. 

Lemma 1. Let M be a term of the X e cps a - calculus. If M —> M' and M N 
then there is N' such that N A N' and M' (^>*) o S h N' . 

Proof. As a preliminary remark we notice that the hoisting transformations 
are preserved by name substitution. Namely if M ~» N then [y + /x + ]M ^ 
[y+/x+]N. 

There are three reduction rules and three hoisting transformations hence 
there are 9 cases to consider and for each case we have to analyse how the two 
redexes can superpose. 

As usual a term can be regarded as a tree and an occurrence in the tree is 
identified by a path ir which is a sequence of natural numbers. 



— The reduction rule is 

E[@(x,y + )] ->E[\y+/z + ]M\ 

where E(x) = \z + .M. Wc suppose that ir is the path which corresponds to 
the let-definition of the variable x and it' is that path that determines the 
redex of the hoisting transformation. 
(hi) There are two critical cases. 

1. The let-definition that defines a function of the hoisting transforma- 
tion coincides with the let-definition of x. In this case M is actually 
a restricted term T. The diagram is closed in one step. 

2. The path tt' determines a subterm of M. If we reduce first then we 
have to apply the hoisting transformation twice to close the diagram 
using the fact that these transformations are preserved by name sub- 
stitution. 

(ft.2) Again there are two critical situations. 

1. The top level let-definition of the hoisting transformation coincides 
with the let-definition of the variable x in the reduction. This is the 
case illustrated by the example El If wc reduce first then we have 
to apply the hoisting transformation twice (again using preservation 
under name substitution). After this we have to commute the let- 
definitions and finally collapse two identical ones. 

2. The path tv' determines a subterm of M. If we reduce first then we 
have to apply the hoisting transformation twice to close the diagram 
using the fact that these transformations are preserved by name sub- 
stitution. 

(/13) There are two critical cases. 

1. The function let-definition in the hoisting transformation coincides 
with the let-definition of the variable x in the reduction. We close 
the diagram in one step. 

2. The path ir' determines a subterm of M. If we reduce first then we 
have to apply the hoisting transformation twice to close the diagram 
using the fact that these transformations are preserved by name sub- 
stitution. 

— The reduction rule is 

E[let x = 7r t (y) in M] -> E[[zi/x]M] 

where E(y) = (zi,. . . z n ) and 1 < i < n. 
(hi) There are two critical cases. 

1. The first let-definition in the hoisting transformation coincides with 
the let-definition of the tuple in the reduction. We close the diagram 
in one step 

2. The first let-definition in the hoisting transformation coincides with 
the projection in the reduction. If wc reduce first then there is no 
need to apply a hoisting transformation to close the diagram because 
the projection disappears. 



(/12) The only critical case arises when the redex for the hoisting transfor- 
mation is contained in M . We close the diagram in one step using the 
fact that the transformations are preserved by name substitution. 

(/13) Same argument as in the previous case. 

— The reduction rule is 

E[£> M] 4 E[M] 

The hoisting transformations can be either in E or in M. In both cases we 
close the diagram in one step. □ 

We conclude by proving by diagram chasing the following proposition. We 
rely on the previous lemma and the fact that Sh is a simulation. 

Proposition 11. The relation Th = ((~>*) o Sh)* is a simulation and for all 
terms of the X l cc a - calculus, M Th Ch{M). 

B.10 Proof of theorem [1] [commutation and simulation] 

By composition of the commutation and simulation properties of the four com- 
pilation steps. 

B.ll Proof of proposition 1101 [labelling properties] 

(1) Both properties are proven by induction on M. The first is immediate. Wc 
spell out the second. 

x Then d(x) = x G Wi C W . 

Xx + .M Then £i(\x + .Al) = \x+ 1 > C\{M) and by inductive hypothesis C\ (M) G 
Wl 

Hence, I > &(M) £ W t and Xx+ 1 > d(M) G Wi. 

(Mi, ... , M n ) Then k((M u M n )) = (£ (Mi), . . . , C Q (M n )) and by induc- 
tive hypothesis Cq(Mj) G Wo for j = 1, . . . , n. 
Hence, (C (Mi), . . .,C (M n )) G W\ C W . 

TTj(M) Same argument as for the pairing. 

let x = M in N Then A(let x = M in N) = let x = C (M) in £ % (N) and 

by inductive hypothesis Co(M) G Wq and Ci(N) G W\. Hence let x = 

C (M) in d(N) G Wi. 
@(Mi, . . . , M n ) and^O Then £o(@(Afi, . . . , M„)) = @(£ (Mi), ■ • • , C (M n )) > 

I and by inductive hypothesis £ (Mj) G W for j = 1, . . . , n. Hence @(£ (Mi), . . . , £ (M n )) > 

I G Wo. 

@(Mi, . . . , M n ) and i = 1 Same argument as in the previous case to conclude 
that 

@(£i(Mi),...,A(M n )) G Wi. 



(2) By (1) we know that er(£(M)) = M and £(M) G W . Then: 



P = C(M) 

= C(er(C(M))) 

= er(C(£(M))) (byffll)) . 

(3) The main point is to show that the CPS compilation of a labelled term 
is a term where a pre-labelling appears exactly after each A-abstraction. The 
following compilation steps (administrative, closure conversion, hoisting) neither 
destroy nor introduce new A-abstractions while maintaining the invariant that 
the body of each function definition contains exactly one pre-labelling. 

As a preliminary step, we define a restricted syntax for the A^ ps -calculus 
where labels occur exactly after each A-abstraction. 

V ::= id || Xid + .1 > M || (V+) (restricted values) 

M ::= @(V,V + ) || let id = tt,(V) in M (restricted CPS terms) 

K ::= id \ Xid.M (restricted continuations) 

Let us call this language A^, ar (r for restricted). First we remark that if V 
is a restricted value and M is a restricted CPS term then [V/x]M is again a 
restricted CPS term. Then we show the following property. 

For all terms M of the A-calculus and all continuations K of the X l cps r - 
calculus the term £;(M) : K is again a term of the A^ ps ,,-calculus pro- 
vided that i = if K is a function and i = 1 if K is a variable. 

Notice that the initial continuation K$ = Xx.@(halt, x) is a functional con- 
tinuation in the restricted calculus and recall that by definition C cps (C(M)) = 
Cq(M) : A'o. Wc proceed by induction on M and case analysis assuming that if 
i = then K = Xy.N. 

i,i = 0Wc have: C {x) : K = x : K = [x/y]N. 
x, i = 1 We have: Cq{x) : k = x : k = @(k,x). 
Xx + .M, i = We have: 

C Q (Xx + .M) : K = Xx+1 > &(M) : K = [Xx + , k.l > d(M) : k/y]N 

and we apply the inductive hypothesis on C\(M) : k and closure under value 
substitution. 
Xx + .M, i — 1 We have: 

Ci{Xx + .M) : k = Xx + 1 > C-l(M) : k = @(k,Xx + ,k.£ > C X {M) : k) 

and we apply the inductive hypothesis on Ci(M) : k. 
@(Mi, . . . , M n ), i = 0We have: 

Ci(@(M u ...,M n )):K 

= @(£ (Mi),...,£ (M n )) >i: K 

= @(£o(M 1 ),...,£ (M„)) : K' 

= C {Mx) : Axi ...£ (M„) : Xx n M(x u . . . , x n , K') 



where K' = Xy.l > N. Then we apply the inductive hypothesis on M n , . . . , Mi 
with the suitable functional continuations. 
@(Mi, . . . , M n ), i = 1 We have: 

£j(@(Mi, . . . , M n )) : K 

= @(Cq(M{), . . .,Co{M n )) : K 

= C (Mx) : \ Xl . . . C (M n ) : Xx n M{ Xl , . . . ,x n ,K) . 

Again we apply the inductive hypothesis on M n , . . . ,Mi with the suitable 
functional continuations. 
(Mi,...,M„) We have: 

£i((Mi,...,M n )) :K 

= (C (Mi), . . . , Co(M„)) : K 

= C (M 1 ):Xx 1 ...C (M n ):Xx n M(x 1 ,...,x n ,K) . 

We apply the inductive hypothesis on M n , . . . , Mi with the suitable func- 
tional continuations. 
7Tj(M) We have: 

CiiwjiM)) : K 
= ^{Co{M)):K 

= Co(M) : Ax. let y = nj(x) in y : K . 

We apply the inductive hypothesis on M with a functional continuation, 
let x = N in M We have: 

A (let x = N in M) : X 

= let x = £ (JV) in d(M) : if 

= C (N) : Xx.Ci(M) : K . 

We apply the inductive hypothesis on M and then on N with a functional 
continuation. □ 



